March 13, 2012

Eschewing the Ol’ Two Step

Anybody else as frustrated with the Google Two Step verification as I am? I thought so.

About a month ago, after consulting with a colleague of mine, I decided it might be a good test of Google's cheap-n-cheerful two-factor substitute, two-step verification. Oh, it sounds like a good idea. You enter your password (that part doesn't change). Then up pops yet another login screen. This one is looking for a code that is sent via SMS to your mobile phone. Or if that fails, you can have Google call you – or rather some robo-voice which gives you two more numbers than an SMS usually does. Once you successfully navigate that screen, you're home free! Or are you?

The problems I've run into are not the ones I expected. While travelling outside the good ol' U.S. of A. I figured I'd have problems. But the SMS messages got delivered overseas pretty handily. It wasn't until I got home that I began to achieve unexpected results.

I did not realize I used Gmail on so many computing devices. My home laptop, my home desktop, a virtual machine on my home desktop, a Wubi install on my laptop, and my work laptop. But in addition to those were the little devices, my iPhone and my iPad. These require another more sinister mechanism called Application Specific Passwords. Here, you sign-in using your password and then name your application (iPhone) and get a sixteen character password to type in. Then you can get your email on your iPhone. But wait! There's more!

If you use any of Google's other features such as Chrome Sync or YouTube or Google Reader. Those mathematically inclined will quickly divine that if you use the last two on your iPhone or iPad (like I do), you will require four, maybe six, such application-specific passwords. And the device gives you no clue that this is going on. It just wants a password. It doesn't tell you that somewhere behind the scenes, it's looking for that 16-character behemoth. And on one machine, I try to enter the 16-characters so I can sync my Chrome, but the cursor just spins and spins.

Looking at the Accounts page chock full of my application-specific password status and connected sites, I'm surprised at just how much Google I consume. So I'm thinking I might just revert back to one-step authentication until such time as Google can make it a smoother user experience or I find a suitable non-Google substitute.